| blob | 91d9b377240683250fb2ae2b6429fdb48d6531f9 |
1 /*\r
2 * cryptographic random number generator for PuTTY's ssh client\r
3 */\r
4 \r
5 #include "putty.h"\r
6 #include "ssh.h"\r
7 #include <assert.h>\r
8 \r
9 /* Collect environmental noise every 5 minutes */\r
10 #define NOISE_REGULAR_INTERVAL (5*60*TICKSPERSEC)\r
11 \r
12 void noise_get_heavy(void (*func) (void *, int));\r
13 void noise_get_light(void (*func) (void *, int));\r
14 \r
15 /*\r
16 * `pool' itself is a pool of random data which we actually use: we\r
17 * return bytes from `pool', at position `poolpos', until `poolpos'\r
18 * reaches the end of the pool. At this point we generate more\r
19 * random data, by adding noise, stirring well, and resetting\r
20 * `poolpos' to point to just past the beginning of the pool (not\r
21 * _the_ beginning, since otherwise we'd give away the whole\r
22 * contents of our pool, and attackers would just have to guess the\r
23 * next lot of noise).\r
24 *\r
25 * `incomingb' buffers acquired noise data, until it gets full, at\r
26 * which point the acquired noise is SHA'ed into `incoming' and\r
27 * `incomingb' is cleared. The noise in `incoming' is used as part\r
28 * of the noise for each stirring of the pool, in addition to local\r
29 * time, process listings, and other such stuff.\r
30 */\r
31 \r
32 #define HASHINPUT 64 /* 64 bytes SHA input */\r
33 #define HASHSIZE 20 /* 160 bits SHA output */\r
34 #define POOLSIZE 1200 /* size of random pool */\r
35 \r
36 struct RandPool {\r
37 unsigned char pool[POOLSIZE];\r
38 int poolpos;\r
39 \r
40 unsigned char incoming[HASHSIZE];\r
41 \r
42 unsigned char incomingb[HASHINPUT];\r
43 int incomingpos;\r
44 \r
45 int stir_pending;\r
46 };\r
47 \r
48 static struct RandPool pool;\r
49 int random_active = 0;\r
50 long next_noise_collection;\r
51 \r
52 static void random_stir(void)\r
53 {\r
54 word32 block[HASHINPUT / sizeof(word32)];\r
55 word32 digest[HASHSIZE / sizeof(word32)];\r
56 int i, j, k;\r
57 \r
58 /*\r
59 * noise_get_light will call random_add_noise, which may call\r
60 * back to here. Prevent recursive stirs.\r
61 */\r
62 if (pool.stir_pending)\r
63 return;\r
64 pool.stir_pending = TRUE;\r
65 \r
66 noise_get_light(random_add_noise);\r
67 \r
68 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);\r
69 pool.incomingpos = 0;\r
70 \r
71 /*\r
72 * Chunks of this code are blatantly endianness-dependent, but\r
73 * as it's all random bits anyway, WHO CARES?\r
74 */\r
75 memcpy(digest, pool.incoming, sizeof(digest));\r
76 \r
77 /*\r
78 * Make two passes over the pool.\r
79 */\r
80 for (i = 0; i < 2; i++) {\r
81 \r
82 /*\r
83 * We operate SHA in CFB mode, repeatedly adding the same\r
84 * block of data to the digest. But we're also fiddling\r
85 * with the digest-so-far, so this shouldn't be Bad or\r
86 * anything.\r
87 */\r
88 memcpy(block, pool.pool, sizeof(block));\r
89 \r
90 /*\r
91 * Each pass processes the pool backwards in blocks of\r
92 * HASHSIZE, just so that in general we get the output of\r
93 * SHA before the corresponding input, in the hope that\r
94 * things will be that much less predictable that way\r
95 * round, when we subsequently return bytes ...\r
96 */\r
97 for (j = POOLSIZE; (j -= HASHSIZE) >= 0;) {\r
98 /*\r
99 * XOR the bit of the pool we're processing into the\r
100 * digest.\r
101 */\r
102 \r
103 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)\r
104 digest[k] ^= ((word32 *) (pool.pool + j))[k];\r
105 \r
106 /*\r
107 * Munge our unrevealed first block of the pool into\r
108 * it.\r
109 */\r
110 SHATransform(digest, block);\r
111 \r
112 /*\r
113 * Stick the result back into the pool.\r
114 */\r
115 \r
116 for (k = 0; k < sizeof(digest) / sizeof(*digest); k++)\r
117 ((word32 *) (pool.pool + j))[k] = digest[k];\r
118 }\r
119 }\r
120 \r
121 /*\r
122 * Might as well save this value back into `incoming', just so\r
123 * there'll be some extra bizarreness there.\r
124 */\r
125 SHATransform(digest, block);\r
126 memcpy(pool.incoming, digest, sizeof(digest));\r
127 \r
128 pool.poolpos = sizeof(pool.incoming);\r
129 \r
130 pool.stir_pending = FALSE;\r
131 }\r
132 \r
133 void random_add_noise(void *noise, int length)\r
134 {\r
135 unsigned char *p = noise;\r
136 int i;\r
137 \r
138 if (!random_active)\r
139 return;\r
140 \r
141 /*\r
142 * This function processes HASHINPUT bytes into only HASHSIZE\r
143 * bytes, so _if_ we were getting incredibly high entropy\r
144 * sources then we would be throwing away valuable stuff.\r
145 */\r
146 while (length >= (HASHINPUT - pool.incomingpos)) {\r
147 memcpy(pool.incomingb + pool.incomingpos, p,\r
148 HASHINPUT - pool.incomingpos);\r
149 p += HASHINPUT - pool.incomingpos;\r
150 length -= HASHINPUT - pool.incomingpos;\r
151 SHATransform((word32 *) pool.incoming, (word32 *) pool.incomingb);\r
152 for (i = 0; i < HASHSIZE; i++) {\r
153 pool.pool[pool.poolpos++] ^= pool.incomingb[i];\r
154 if (pool.poolpos >= POOLSIZE)\r
155 pool.poolpos = 0;\r
156 }\r
157 if (pool.poolpos < HASHSIZE)\r
158 random_stir();\r
159 \r
160 pool.incomingpos = 0;\r
161 }\r
162 \r
163 memcpy(pool.incomingb + pool.incomingpos, p, length);\r
164 pool.incomingpos += length;\r
165 }\r
166 \r
167 void random_add_heavynoise(void *noise, int length)\r
168 {\r
169 unsigned char *p = noise;\r
170 int i;\r
171 \r
172 while (length >= POOLSIZE) {\r
173 for (i = 0; i < POOLSIZE; i++)\r
174 pool.pool[i] ^= *p++;\r
175 random_stir();\r
176 length -= POOLSIZE;\r
177 }\r
178 \r
179 for (i = 0; i < length; i++)\r
180 pool.pool[i] ^= *p++;\r
181 random_stir();\r
182 }\r
183 \r
184 static void random_add_heavynoise_bitbybit(void *noise, int length)\r
185 {\r
186 unsigned char *p = noise;\r
187 int i;\r
188 \r
189 while (length >= POOLSIZE - pool.poolpos) {\r
190 for (i = 0; i < POOLSIZE - pool.poolpos; i++)\r
191 pool.pool[pool.poolpos + i] ^= *p++;\r
192 random_stir();\r
193 length -= POOLSIZE - pool.poolpos;\r
194 pool.poolpos = 0;\r
195 }\r
196 \r
197 for (i = 0; i < length; i++)\r
198 pool.pool[i] ^= *p++;\r
199 pool.poolpos = i;\r
200 }\r
201 \r
202 static void random_timer(void *ctx, long now)\r
203 {\r
204 if (random_active > 0 && now - next_noise_collection >= 0) {\r
205 noise_regular();\r
206 next_noise_collection =\r
207 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);\r
208 }\r
209 }\r
210 \r
211 void random_ref(void)\r
212 {\r
213 if (!random_active) {\r
214 memset(&pool, 0, sizeof(pool)); /* just to start with */\r
215 \r
216 noise_get_heavy(random_add_heavynoise_bitbybit);\r
217 random_stir();\r
218 \r
219 next_noise_collection =\r
220 schedule_timer(NOISE_REGULAR_INTERVAL, random_timer, &pool);\r
221 }\r
222 \r
223 random_active++;\r
224 }\r
225 \r
226 void random_unref(void)\r
227 {\r
228 random_active--;\r
229 assert(random_active >= 0);\r
230 if (random_active) return;\r
231 \r
232 expire_timer_context(&pool);\r
233 }\r
234 \r
235 int random_byte(void)\r
236 {\r
237 if (pool.poolpos >= POOLSIZE)\r
238 random_stir();\r
239 \r
240 return pool.pool[pool.poolpos++];\r
241 }\r
242 \r
243 void random_get_savedata(void **data, int *len)\r
244 {\r
245 void *buf = snewn(POOLSIZE / 2, char);\r
246 random_stir();\r
247 memcpy(buf, pool.pool + pool.poolpos, POOLSIZE / 2);\r
248 *len = POOLSIZE / 2;\r
249 *data = buf;\r
250 random_stir();\r
251 }\r